Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
ASA 8.X : How to deny remote access to LDAP users that don't have Remote Access Permissions
One of the attributes of an Active Directory user is his Remote Access Permission.
This can be found under the Dial-in tab of your user properties:
If you have already set this value for all of your users, you might want to reuse it once you setup remote access to your firewall.
There are two ways to allow AnyConnect or IPSec access only to users which have this parameter set:
1.) Dynamic Access Policies
First, you'll need to create a new DAP ( Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policiesin ASDM).
Under this new DAP, set a match parameter under the AAA Atributes that verifies that the ldap.msNPAllowDialin is set to TRUE and set the action for this DAP to "Continue" as shown in the following picture:
Once this is done, you only need set the action on the DfltAccessPolicy to "Terminate":
That way, users that have either msNPAllowDialin set to FALSE or which don't have this attribute at all will be denied access.
2.) Group Policy switching through LDAP attribute-map:
With an ldap attribute-map, you can change the group-policy that will be assigned to the user once he connects. If you forbid access on the policy the users will be sent to if he doesn't have Remote Access Permission set, you'll achieve the same effect as with the first technique.
Setting vpn-simultaneous-logins to 0 under the NoVPN policy will prevent people that don't have msNPAllowDialin set to login.
If you are afraid that some of the users might not have the msNPAllowDialin attribute at all, you might want to set vpn-simultaneous-logins to 0 under the DfltGrpPolicy group-policy. If you do, only users going to the AllowVPN group-policy should be able to login.
Here are some documents that could be useful if you want to learn a bit more on the subject: